A View from Tom Simonite
An Epic Hack Performed With a Few Simple Tricks
The victim’s Apple devices suddenly went dark last Friday. Similar attacks remain possible.
Lax security practices by Apple and Amazon cost one journalist a year’s worth of photos and other data last Friday, in a chilling tale that’s a reminder that keeping data secure is far from a solved problem.
Mat Honan of Wired laid out what happened yesterday, explaining how he had all of his data wiped from his iPhone, iPad and MacBook using Apple’s remote wipe feature, which is intended to protect the data on a gadget if it is lost or stolen. Attackers got control of Honan’s Apple account by first taking advantage of a flaw in one of Amazon’s systems that gave them the last four digits of his credit card number. That and an email address was all that was needed to convince Apple to hand over control of his account. As Honan put it:
[T]he very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
Amazon changed its customer service policies today to prevent the trick that compromised Honan’s account, Wired reports. Apple has so far said little, apart from denying the existence of the loophole that got Honan hacked, which he claims he was able to replicate several times.
Honan’s Gmail account was also compromised as part of the attack, the goal of which was simply to wrest control of his three letter twitter account, @mat. Many people have blogged and tweeted today to say that Honan – and everybody else – should use Google’s two factor authentication, which is a more secure alternative to the traditional username and password. It involves using both a regular password and a one-time code generated by a phone app every time you log in.
Two factor authentication could have helped protect Honan, and could boost the security of many other services, too. But despite Google’s best efforts, it still feels clunky to use. The debut of NFC chips in phones might reduce the burden, though, and Intel showed off laptops at CES back in January that processed online payments by having a person tap their phone on a computer to authenticate. However, companies will still need ways to help people that forget their password to get back into their accounts. That means that we will remain at the mercy of various combinations of security questions and systems, like those that let Honan down, for a while yet.
In general, the best advice available is to understand how the services you use protect your account, and adjust your security questions, passwords and back up emails accordingly. Also, to avoid losing data irretrievably as Honan did, to frequently back up your data in multiple places.